Authentication Bypass Vulnerability in miniOrange Social Login Plugin for WordPress
CVE-2026-12761
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 10 July 2026
What is CVE-2026-12761?
The miniOrange Social Login and Register plugin for WordPress reveals a significant security flaw wherein the Profile Completion flow fails to adequately validate email addresses supplied through the 'email_field' POST parameter. This oversight allows attackers to impersonate any user by entering an arbitrary email linked to an OAuth provider. Furthermore, the method send_otp_token() exposes vulnerable information, enabling unauthorized parties to generate and crack an OTP offline. With access to a predictable OTP space and a static customer key, attackers can swiftly log in as any user—potentially gaining administrator privileges. This vulnerability emphasizes the need for robust authentication mechanisms to protect user accounts.
Affected Version(s)
miniOrange Social Login and Register (Discord, Google, Twitter, LinkedIn) 0 <= 7.7.0